Study: The Year's Top-10 Web Application Vulnerabilities

The phrase "Web 2.0" has very little real meaning, as it refers more to Web application concepts than any specific technologies. Nevertheless, tools that are generally considered Web 2.0 have come under fire from several directions for the security vulnerabilities they represent.

Web applications, by far, dominate the list of application security vulnerabilities facing IT organizations. While 29 percent of vulnerabilities are attributable to network and infrastructure weaknesses, a full 71 percent are attributable to both open source and commercial Web applications, according to a report released recently by security firm Cenzic Inc., "Application Security Trend Report for Q4 2007."

On the whole, according to the report, Web application vulnerabilities increased 3 percent in the fourth quarter of 2007 compared with the third quarter. And actual attacks and probes increased from 1.3 million in October 2007 to 1.7 million in December 2007.

The highest percentage of incidents came in the form of probes, attempted access, and scans, accounting for 59 percent of incidents in the fourth quarter. Others included investigation (16 percent), "improper usage" (10.3 percent), unauthorized access (7.6 percent), malicious code (6.9 percent), and denial of service (0.2 percent).

Web 2.0 IssuesIn addition to general Web application vulnerabilities, the report highlights several vulnerabilities in technologies used in the development of Web 2.0 applications, adding to a growing list of reports targeting Web 2.0. (See sidebar for more.) These technologies and protocols, spotlighted in the report, include:

For the second half of 2007, these technologies combined represented some 178 identifiable vulnerabilities, with Active X by far the largest culprit at 111 individual vulnerabilities. (Flash came in second with 23, RSS in third with 14, and AJAX in fourth with 10.)

Said the report, "These technologies are often combined to enable rich-media Internet applications, enhanced user interactivity, and syndication, all core elements of the application design principles that are associated with Web 2.0. The vulnerability count includes vulnerabilities in any application that implements one or more of the listed technologies. Research into the vulnerability types above showed general declines in all areas with the exception of flash technology, which increased from one disclosed vulnerability during the first half of 2007, to more than 20 vulnerabilities disclosed in the second half of 2007."

The numbers, however, are not all-inclusive.

Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers are low because these are known, reported, and published vulnerabilities. There are potentially a lot more in the internal applications using Web 2.0 applications. Also, there are probably a lot more in commercial apps that haven't been found or reported due to limited expertise in skills, tools, and knowledge around these technologies."

The Top Open Source and Commercial Application VulnerabilitiesThe report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities across the whole spectrum of commercial and open source applications. Of these, the most severe in the fourth quarter of 2007 included (in order):

Open SSL Off-By-One Overflow

Java Web Start Bugs

Adobe Acrobat URI Handling Bug

IBM Lotus Notes Buffer Overflow

RealPlayer Input Validation Flaw

IBM WebSphere Application Server Input Validation Hole

IBM WebSphere Input Validation Hole

PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs

Apache Input Validation Hole

Adobe Flash Player Bugs

Further information about each of these can be found in the report, available in PDF form here.

Cenzic said of the applications studied, 70 percent "engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions." And 60 percent were affected by the most common injection flaw, cross-site scripting.

There are, of course, implications for home-grown Web applications as well.

"...These findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications," the company said.

"A vast majority of applications are proprietary and created in-house or outsourced to India, Russia, China, and former [Soviet Bloc] countries," Cenzic's Khera told us. "There are a lot more vulnerabilities in those applications including back-doors that very companies are checking for. The best advice we can give is that corporations and government agencies need to assess all their applications on a continuous basis so they can find these vulnerabilities and either fix them right away or find another way to block hackers. Companies can also start with a remotely managed assessment service if they are not ready to install a software solution in house."

Web Browser Vulnerabilities: IE Safest?The report also highlighted vulnerabilities in Web browsers themselves. It cited Microsoft Internet Explorer as having the fewest "reported vulnerabilities" during the final quarter of 2007, beating out Safari, Opera, and Firefox for the first time. Khera said he believes that Microsoft is "putting the most resources in fixing their vulnerabilities."

The Opera browser was responsible for the highest percentage of reported vulnerabilities by major type, at 38 percent, followed by Firefox at 32 percent. Safari had 15 percent, followed by IE at 10 percent.

Information for the browser vulnerability portion of the study was compiled from information reported by developers, users, researchers, browser vendors themselves.

Further information about the study and a downloadable version of the study itself can be found at Cenzic's Web site.

Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at dnagel@1105media.com.

About the Author

David Nagel is edtorial director, education for 1105 Media's Public Sector Media Group. A 22-year publishing veteran, Nagel has led or contributed to dozens of technology, art and business publications.

Whitepapers

Paul VI Catholic School wanted to develop a laptop program that would equip its students and teachers with the right tools to increase classroom learning, prepare their students for college, and to develop the 21st Century skill sets required by today’s employers. Download this White Paper to learn about their comprehensive selection process and how they are using their new laptops to revolutionize the learning process.
Read more...